One of the world’s most advanced cyber mercenary outfits, NSO Group, has been exposed again, this time for targeting a human rights lawyer and activist in Morocco, according to Amnesty International.
Get started on your Homeland Security degree at American Military University.
NSO is again coming under fire for providing powerful iPhone hacking tools to a repressive government after being outed as helping the governments of Mexico, the U.A.E. and Saudi Arabia to spy on citizens.
The Israeli company says it’s now investigating the claims made by Amnesty in a report released Thursday and showed to Forbes ahead of publication. The human rights organization is warning that Maati Monjib, a freedom of expression activist, and Abdessadak El Bouchattaoui, a human rights lawyer, were both targeted by NSO spyware. According to Amnesty, they were sent text messages containing links that, once clicked, would’ve installed the surveillance software, which is capable of hoovering up calls, texts, location and even encrypted communications like WhatsApp and Signal chats. Monjib confirmed to Forbes he believed his phone was infiltrated and snooped on.
“Morocco has a history of abuse of surveillance technology, all the way back to 2012,” said Claudio Guarnieri, a technologist at Amnesty. “These new attacks are renewed evidence of the use of spyware to silence human rights defenders. And they’re most likely not isolated incidents.” Amnesty has backed a lawsuit in Israel that’s trying to stop NSO shipping its spyware.
Human Rights Watch has condemned Morocco for its harassment and imprisonment of critical journalists and activists. The North African kingdom survived the 2011 Arab Spring with the monarchy making limited reforms but was rocked by popular protests about corruption and unemployment in 2016 and 2017.
An NSO spokesperson said it investigated reports of abuse. “If an investigation identifies actual or potential adverse impacts on human rights, we are proactive and quick to take the appropriate action to address them. This may include suspending or immediately terminating a customer’s use of the product, as we have done in the past,” an NSO spokesperson said.
“While there are significant legal and contractual constraints concerning our ability to comment on whether a particular government agency has licensed our products, we are taking these allegations seriously and will investigate this matter in keeping with our policy.” The spokesperson said that NSO’s tools should not be used to “surveil dissidents or human rights activists” and were to be used only for “investigating crime and terrorism.”
Just last week, Google claimed to have caught NSO tools being used to target Android phones. And earlier this year, an NSO customer was allegedly caught trying to hack an iPhone of a prominent human rights lawyer in the U.K. via an attack on Facebook-owned WhatsApp.
The attempted hacks on the Moroccans have been ongoing since at least 2017, Amnesty said, though it didn’t go as far as to name any government agency behind the attacks. (The Moroccan Embassy in London had not responded to a request for comment at the time of publication.)
Maati Monjib, who’s also cofounder of the journalist rights NGO Freedom Now, told Forbes believes that he likely clicked on two or three malicious concealed in messages sent to his iPhone in the last two years. One of the texts promised a free version of an unnamed, bestselling book about President Trump. Another promised a new feature in communications app Truecaller to reveal who’d searched for the user’s number.
Monjib said he believes he was successfully infected with NSO’s malware “because the Moroccan political police agents followed me and published in their news outlets false private information on me and my family.” “The main goal of the attack and electronic surveillance is to defame me and put me under permanent pressure,” he added.
Monjib is of particular interest to the Moroccan state in part because of his role in promoting a mobile app, StoryMaker, which let citizen journalists publish content anonymously. As per the Amnesty report, Monjib now stands accused of threatening national security in an ongoing trial. He said his trial has been postponed 17 times in four years. Indeed, reports of his original detention go back to 2015, when six others were accused of helping create and support the app. His next hearing is scheduled for October 30, Monjib added.
Abdessadak El Bouchattaoui, who now lives in France having been granted asylum in the country. He fled in 2018 after he was sentenced to 20 months in prison and a fine for online posts in which he criticized the use of excessive force by the authorities during social justice protests in 2016 and 2017. Amnesty said the malware-laced messages were sent to him at the peak of the protests in 2017. In his case, the texts came in a flurry, and the malicious link offered a way to stop receiving the messages.
Amnesty said the links sent to the pair were stopsms[.]biz and infospress[.]com. The human rights watchdog said those domains were previously identified as being used by NSO Group for its surveillance operations.
A more dangerous method?
Amnesty’s technical researchers also claimed the NSO malware targeting Moroccans was being delivered via another, more secretive hacking technique. Called a “network injection attack,” it sees the target sent to malicious websites as they surf the web, where spyware is launched on their phone.
It often requires the involvement of either a legitimate telecoms provider or network infrastructure controlled by a surveillance company. In this case, Amnesty found evidence that the spyware was being installed on a human rights defender’s phone via their mobile network.
Whilst Amnesty said it couldn’t link the network injection attacks to NSO, it had evidence at least one attempt resulted in the compromise of Monjib’s iPhone. Forbes has previously been told by sources that NSO is capable of such attacks, in part thanks to its merger with another Israeli surveillance company, Circles, in 2014.